From a5a1a2ba9f54e01fb066ac576e3d7813a4bba26b Mon Sep 17 00:00:00 2001
From: Jason <81298350+Deutscher775@users.noreply.github.com>
Date: Sat, 23 Nov 2024 19:21:19 +0100
Subject: [PATCH] Fix post request not requiring a token (huge security
 vulnerablity)

huge thanks to @digidalstudios for finding and reporting it to me
---
 src/api.py | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/api.py b/src/api.py
index 528f157..7105b07 100644
--- a/src/api.py
+++ b/src/api.py
@@ -418,7 +418,19 @@ async def post_endpoint(
     suspend_status = await astroidapi.suspension_handler.Endpoint.is_suspended(endpoint)
     if suspend_status:
         return fastapi.responses.JSONResponse(status_code=403, content={"message": "This endpoint is suspended."})
-    
+
+    if not token:
+        return fastapi.responses.JSONResponse(status_code=401, content={"message": "You must provide a token."})
+    try:
+        data_token = json.load(open(f"{pathlib.Path(__file__).parent.resolve()}/tokens.json", "r"))[f"{endpoint}"]
+        if token != data_token and token != Bot.config.MASTER_TOKEN:
+            return fastapi.responses.JSONResponse(status_code=401, content={"message": "The provided token is invalid."})
+    except KeyError:
+        if token != Bot.config.MASTER_TOKEN:
+            return fastapi.responses.JSONResponse(status_code=401, content={"message": "The provided token is invalid."})
+        else:
+            pass
+            
     await astroidapi.endpoint_update_handler.UpdateHandler.update_endpoint(
         endpoint=endpoint,
         index=index,